github.phpd.cn/hashicorp/consul@v1.4.5/agent/consul/acl_client.go (about)

     1  package consul
     2  
     3  import (
     4  	"sync/atomic"
     5  	"time"
     6  
     7  	"github.com/hashicorp/consul/acl"
     8  	"github.com/hashicorp/consul/agent/metadata"
     9  	"github.com/hashicorp/consul/agent/structs"
    10  	"github.com/hashicorp/consul/lib"
    11  	"github.com/hashicorp/serf/serf"
    12  )
    13  
    14  var clientACLCacheConfig *structs.ACLCachesConfig = &structs.ACLCachesConfig{
    15  	// The ACL cache configuration on client agents is more conservative than
    16  	// on the servers. It is assumed that individual client agents will have
    17  	// fewer distinct identities accessing the client than a server would
    18  	// and thus can put smaller limits on the amount of ACL caching done.
    19  	//
    20  	// Identities - number of identities/acl tokens that can be cached
    21  	Identities: 1024,
    22  	// Policies - number of unparsed ACL policies that can be cached
    23  	Policies: 128,
    24  	// ParsedPolicies - number of parsed ACL policies that can be cached
    25  	ParsedPolicies: 128,
    26  	// Authorizers - number of compiled multi-policy effective policies that can be cached
    27  	Authorizers: 256,
    28  }
    29  
    30  func (c *Client) UseLegacyACLs() bool {
    31  	return atomic.LoadInt32(&c.useNewACLs) == 0
    32  }
    33  
    34  func (c *Client) monitorACLMode() {
    35  	waitTime := aclModeCheckMinInterval
    36  	for {
    37  		canUpgrade := false
    38  		for _, member := range c.LANMembers() {
    39  			if valid, parts := metadata.IsConsulServer(member); valid && parts.Status == serf.StatusAlive {
    40  				if parts.ACLs != structs.ACLModeEnabled {
    41  					canUpgrade = false
    42  					break
    43  				} else {
    44  					canUpgrade = true
    45  				}
    46  			}
    47  		}
    48  
    49  		if canUpgrade {
    50  			c.logger.Printf("[DEBUG] acl: transition out of legacy ACL mode")
    51  			atomic.StoreInt32(&c.useNewACLs, 1)
    52  			lib.UpdateSerfTag(c.serf, "acls", string(structs.ACLModeEnabled))
    53  			return
    54  		}
    55  
    56  		select {
    57  		case <-c.shutdownCh:
    58  			return
    59  		case <-time.After(waitTime):
    60  			// do nothing
    61  		}
    62  
    63  		// calculate the amount of time to wait for the next round
    64  		waitTime = waitTime * 2
    65  		if waitTime > aclModeCheckMaxInterval {
    66  			waitTime = aclModeCheckMaxInterval
    67  		}
    68  	}
    69  }
    70  
    71  func (c *Client) ACLDatacenter(legacy bool) string {
    72  	// For resolution running on clients, when not in
    73  	// legacy mode the servers within the current datacenter
    74  	// must be queried first to pick up local tokens. When
    75  	// in legacy mode the clients should directly query the
    76  	// ACL Datacenter. When no ACL datacenter has been set
    77  	// then we assume that the local DC is the ACL DC
    78  	if legacy && c.config.ACLDatacenter != "" {
    79  		return c.config.ACLDatacenter
    80  	}
    81  
    82  	return c.config.Datacenter
    83  }
    84  
    85  func (c *Client) ACLsEnabled() bool {
    86  	return c.config.ACLsEnabled
    87  }
    88  
    89  func (c *Client) ResolveIdentityFromToken(token string) (bool, structs.ACLIdentity, error) {
    90  	// clients do no local identity resolution at the moment
    91  	return false, nil, nil
    92  }
    93  
    94  func (c *Client) ResolvePolicyFromID(policyID string) (bool, *structs.ACLPolicy, error) {
    95  	// clients do no local policy resolution at the moment
    96  	return false, nil, nil
    97  }
    98  
    99  func (c *Client) ResolveToken(token string) (acl.Authorizer, error) {
   100  	return c.acls.ResolveToken(token)
   101  }